I’ve tried password protecting my Yubikey but that seems to only protect TOTP, but not FIDO2. Is there a way to fully password-protect a Yubikey in case it’s stolen?
If it’s stolen, how would someone know your accounts to use the yubikey on them? That would mean you’re actively being targeted and require more than just a password on a hardware key
The Yubico Authenticator app lists all the accounts. From there, they only need a password. It doesn’t need to be targeted since anyone can pick up a lost Yubikey.
I just tried with my yubikey (a 5 with USB-A), it asked for a password (that I had set in the desktop manager app) before letting me actually do things with the key and it didn’t list my FIDO2 accounts (I have 5 different accounts set up with FIDO2 on this key). I don’t have any TOTP stuff set up so ymmv
The problem isn’t with viewing them in the app. Try logging into websites using FIDO2 without opening the Yubico Authenticator app at all. It works without requiring the Yubikey password.
Then we get back to the original question of “how would someone know the accounts in the first place?”
Right, they wouldn’t be able to see the FIDO2 keys inside the app (At least I can’t seem to after connecting it). I guess the password is only needed for TOTP then since those are the only ones exposed to users in the app.
Technically discoverable FIDO2 credentials could be read, and you can protect those with a PIN in your (Chromium) browser at
But yeah, most FIDO2 credentials are not discoverable (which means they do not contain identifiers like your username), and those can’t be PIN protected AFAIK, but they also don’t really need to be like @pinkandwhite said
Actually, I ended up figuring out you can PIN-protect ones that show up in the Yubikey Manager, but it seems like not all of them show up for some reason. I agree though that the ones that aren’t visible don’t need to be PIN-protected
Good to know, that probably does the exact same thing as the browser-based setup I linked. I’ve never used the Yubikey Manager app itself for anything.